PCI V3 - are you confidant that you are now compliant? And what do you do next? We look at how you should ensure you are implementing the requirements of PCI v3 correctly to ensure that you do not fall short of compliance, and where that might happen. Register to find out more!

SC Magazine's SC Congress returned to London on 3 March, 2015 with an all new programme! Hundreds of industry insiders attended the full day of hard-hitting information security news and solutions from leaders in their fields.
Check back soon for information on the next SC Congress.

When should you ban personal mobile use? Is Choose your own device appropriate, or can you safely harness the cost savings of Bring Your Own Device? Register today for this free editorial webcast to find out more as disucss..

The chilling effects of the Volkswagen injunction on British research

At this week's Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek will present on on-board car computer insecurities to thousands.

The DARPA-funded research will show how they can control a Toyota Prius and Ford Escape from the vehicles' ECU (Electronic Control Unit) including moving the car, stopping the car and sounding the horn.

In contrast, a House of Lords injunction granted by Volkswagen has gagged Univerity of Birmingham lecturer Flavio Garcia from presenting his research into the Megamos crypto RFID chips. These chips are used by the immobiliser in Volkswagen's cars.

Volkswagen claim that it could lead to the theft of millions of Porsches, Audis, Bentleys and other high end cars. According to a recent Telegraph article, Mr Garcia and his colleagues asserted that they are "responsible, legitimate academics doing responsible, legitimate academic work". Despite this, Mr Justice Birss ruled against the academics on the grounds that it would mean "that car crime will be facilitated".

So far, so reasonable, or so you might think. After all, such flaws may be difficult to fix and could lead to £250,000 cars being stolen by criminal gangs. Sadly this kind of thinking is all too common. The fact remains that the vulnerabilities in the RFID chips used to protect the cars still exist and are just as likely, if not less likely to be fixed.

As co-organiser of the UK's biggest technical information security conference, 44con, we often see research that's controversial. It's often controversial research that spurs changes. Barnaby Jack, the sadly recently deceased vulnerability researcher who famously 'jackpotted' ATMs at Black Hat, went on to do considerable research in the field of medical hardware, research that was in the process of improving medical security, just as his earlier work on ATMs led to improvements in ATM security.

44Con hasn't shied away from controversy either. At our first event one speaker presented ground-breaking research on weaknesses affecting the keylogging protections in Trusteer's Rapport, an anti-phishing security product used in homes across the world to securely access their bank accounts.

This injunction is a severe impediment on the ability for legitimate academic research to be openly discussed. It sets the precedent that if a vendor doesn't like what you're doing, they can gag researchers rather than address vulnerabilities providing they can convince a judge that there's criminal risk, which is no doubt easier than fixing a problem.

This will only lead such research underground, which is no good for anyone. When there's a market for vulnerabilities and exploits and legitimate routes for research are closed, then for many, selling to the bad guys will be the only option left.

Steve Lord co-organises 44Con and is technical director of Mandalorian

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.